Ask a Question

APC Security Advisory - Vulnerabilities in TCP

Issue

Fundamental weaknesses in TCP/IP can allow an attacker to corrupt data, hijack sessions, or cause a denial-of-service condition (DOS or DDOS). This advisory is in response to Technical Cyber Security Alert TA04-111A. System administrators who use the APC TCP/IP-based network products should read this advisory.

Product Line

All APC products that connect to a TCP/IP network

Environment

Utilizing an APC product that connects to a TCP/IP network

Cause

Unlike the Border Gateway Protocol (BGP) used by routers, TCP connections used with APC products are typically transient. This means that an attack would have to be performed while the product was being actively accessed by a user. Furthermore, TCP window sizes for APC applications are typically very small and make it more difficult for an attacker.

Resolution

If available, deploy and use cryptographically secure protocols like SSL/TLS and SSH. These protocols prevent attackers from corrupting data and hijacking sessions. However, they do not prevent denial-of-service since authentication is performed above the transport layer (TCP).

To reduce the possibility of a denial-of-service condition it is recommended that APC products be protected by a firewall that can detect and respond to that class of attacks. In general, US-CERT recommends utilizing network security tactics such as Deploying and Use Cryptographically Secure Protocols, Ingress filtering, Network Isolation, and Egress filtering.

Status of this notice: INTERIM

THIS IS AN INTERIM ADVISORY. ALTHOUGH APC CANNOT GUARANTEE THE ACCURACY OF ALL STATEMENTS IN THIS NOTICE, ALL OF THE FACTS HAVE BEEN CHECKED TO THE BEST OF OUR ABILITY. APC DOES NOT ANTICIPATE ISSUING UPDATED VERSIONS OF THIS ADVISORY UNLESS THERE IS SOME MATERIAL CHANGE IN THE FACTS. SHOULD THERE BE A SIGNIFICANT CHANGE IN THE FACTS, APC MAY UPDATE THIS ADVISORY. A STAND-ALONE COPY OR PARAPHRASE OF THE TEXT OF THIS SECURITY ADVISORY THAT OMITS THE DISTRIBUTION URL IN THE FOLLOWING SECTION IS AN UNCONTROLLED COPY, AND MAY LACK IMPORTANT INFORMATION OR CONTAIN FACTUAL ERRORS.

IN NO EVENT SHALL EITHER APC, ITS OFFICERS, DIRECTORS, AFFILIATES OR EMPLOYEES, BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND INCLUDING, BUT NO LIMITED TO, LOSS OF PROFITS ARISING OUT OF THE USE OR IMPLEMENTATION OF THE INFORMATION CONTAINED HEREIN HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN AN ACTION FOR CONTRACT, STRICT LIABILITY OR TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, WHETHER OR NOT APC HAS BEEN ADVISED OR THE POSSIBILITY OF SUCH DAMAGE AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY.